1.1. Personal data (PD) — any data that allows to identify an individual, including, but not limited to the following:
1.2. The principles of processing PD are as follows:
1.3. Data Protection Officer — An employee of the Company who is responsible for the control of compliance with the procedures of processing and protection of personal data. Contact details -
1.4. Responsible person — employee of the Company is involved in the process of processing of PD and / or support of issues related to this processing.
1.5. Processing of PD — any action or set of actions, such as collection, registration, accumulation, storage, adaptation, change, restoration, use and distribution (granting access to the third parties, realization, transfer), depersonalization, destruction of the personal data, including with use of information (automated) systems, is carried out in strict conformity with certain procedures, with obligatory observance:
1.6. Procedure of PD — processing detailed description of actions which are carried out by Responsible persons of the Company at PD processing in which are specified:
2.1. Internal PD (IPD) — personal data of the Company"s employees are processed in the PD "EMPLOYEES" database for the purpose of personnel records management, preparation of statistical, managerial and other reporting information on personnel issues. The category of personal data processed in the database of PD "EMPLOYEES" includes:
Paper copies of primary documents are kept in personnel files of employees.
The IPD is kept by the Company for the duration of the employment relationship between the employee and the Company, as well as for 2 (two) years after its termination. At the end of a certain period of time, the said IPD should be transferred to the archive for permanent storage for a period of 75 years.
By legal status, the Company is the owner and manager (Law 2297) of the PD "EMPLOYEES" database.
2.2. External PD (EPD) — personal data received from the Clients of the Company`s services, processing of which is carried out on the basis of and within the framework of the concluded contracts for the provision of relevant services. The Customer of the Company`s services shall ensure compliance with the requirements of the legislation on the protection of Personal Data prior to their transfer to the Company, and the Company in turn - during the processing.
EPD are processed according to procedure of processing of PD which is an integral part of the agreement on granting of corresponding services.
EPD are stored in terms defined in Procedure of processing of PD but within the limits of terms of validity of the corresponding consent
The Company is the Administrator (Law 2297) and the Processor (GDPR) in its legal status in relation to the EPD, and the Client is the Owner (Law 2297) and the Controller (GDPR).
Processing of personal data in the software and hardware complexes of the Company is carried out with application of means of network protection against unauthorized access.
Access to the software and hardware complexes of the Company is carried out in strict accordance with the current procedures for access control.
Responsible persons of the Company are allowed to process personal data only after their authorization. Access of the persons who have not passed the procedure of identification and / or authentication is blocked. In information (automated) system where personal data are processed, registration is carried out, in particular:
Registration data are protected from modification and destruction. Registration data shall be stored and provided upon a reasoned request to the Data Protection Officer for analysis related to personal data. The Company provides anti-virus protection in the information (automated) system.
The degree of access to PD processing (making changes, forming reports and analytical information, viewing or other, if necessary) is determined by the position of the responsible person.
Each employee of the Company makes and personally signs the obligation on preservation of the information with the limited access.
Properly executed obligations to preserve the information with restricted access are kept in the personal files of responsible persons.
Heads of structural divisions carry out constant control over observance by subordinated employees of Procedure of processing of the personal data, and also for legality of processing of the personal data, protection of the personal data at their processing.
The Company notifies the subjects of personal data protection and Controllers about all revealed facts of unauthorized distribution of personal data within a period not exceeding 72 hours
Personal data collected in violation of the requirements of Law 2297 is subject to deletion or destruction in the databases of personal data in accordance with the procedure established by law.
4.1 Grounds for processing of personal data are:
4.2. The procedure of access to personal data of third parties is determined by the conditions of consent of the subject of personal data, provided to the owner of personal data for processing of this data, or in accordance with the requirements of the Law 2297. Access to the personal data of the third party is not provided, if the specified person refuses to undertake obligations on maintenance of observance of requirements of Law 2297 or cannot provide them.
4.3. The subject of the relationship relating to personal data submits a request to the Company for access to personal data. The content of the request for access is defined in Article 16 of Law 2297 and the period of study of this request for its satisfaction may not exceed ten working days from the date of its receipt by the Company.
Within this period, the Company will inform the person making the request that the request will be granted or the relevant personal data will not be provided, indicating the grounds as defined in the relevant regulation.
Request is satisfied within thirty calendar days from the date of its receipt in the Company, unless otherwise provided by the legislation of Ukraine.
4.4. Message on exclusion of access to personal persons of third parties is made by the Company to the third party who submitted the request in writing with explanation of the procedure of appealing such decision in accordance with Article 17 of the Law 2297.
The decision to remove or refuse access to personal data may be appealed to the Authorized person or in court.
4.5. The Company, as the owner of the personal data base, shall notify the subject of personal data within ten working days, if required by the terms of consent or unless otherwise provided by the legislation of Ukraine in the field of personal data protection.
4.6. Messages specified in paragraph 4.5. of this Policy shall not be implemented in case of:
4.7. The company also notifies the subject of personal data, as well as the subject of relations related to personal data, to whom this data has been communicated about the change, deletion or destruction of personal data or restriction of access to them, within ten working days. The employees of the Company designated by the relevant order of the Director of the Company are responsible for the timely provision of the message.
4.8. In cases of violation of the requirements of the legislation on protection of personal data Responsible persons may be held liable for administrative violations of such laws.
4.9. For violation of privacy, namely for illegal collection, storage, use, destruction, distribution of confidential information about the person or illegal change of such information, the guilty Responsible persons may be held criminally liable.
4.10. Control over the observance of the legislation on personal data protection within the limits of powers provided by the Law 2297 is carried out by the Commissioner and courts.
Get fast answers to any remaining questions
Your request has been sent successfully.